Annex 4. Organizations

Here we have collected information on a few useful organizations you can contact for more information and additional assistance.

Professional Organizations

You may find the following organizations helpful. The first few provide newsletters, training, and conferences. FIRST organizations may be able to provide assistance in an emergency.

Association for Computing Machinery (ACM)

The Association for Computing Machinery is the oldest of the computer science professional organizations. It publishes many scholarly journals and annually sponsors dozens of research and community-oriented conferences and workshops. The ACM also is involved with issues of education, professional development, and scientific progress. It has a number of special interest groups (SIGs) that are concerned with security and computer use. These include the SIGs on Security, Audit and Control; the SIG on Operating Systems; the SIG on Computers and Society; and the SIG on Software Engineering.

The ACM may be contacted at:

ACM Headquarters One Astor Plaza

1515 Broadway

17th Floor

New York, New York 10036-5701

+1-212-869-7440

ACM has a US Public policy committee that comments on pending legislation affecting security, privacy, and usability. Many of the items they are concerned with should also be of concern to those interested in security.

http://www.acm.org/usacm/

The ACM has an extensive set of electronic resources, including information on its conferences and special interest groups. The information provided through the

World Wide Web page is especially comprehensive and well organized:

http://www.acm.org

American Society for Industrial Security (ASIS)

The American Society for Industrial Security is a professional organization for those working in the security field. ASIS has been in existence for 40 years and has 32,000 members worldwide as of 2002. Its 25 standing committees focus on particular areas of security, including computer security. The group publishes a monthly magazine devoted to security and loss management. ASIS also sponsors meetings and other group activities. Membership is open only to individuals involved with security at a management level.

More information may be obtained from http://www.asisonline.org or:

American Society for Industrial Security

1625 Prince Street

Alexandria, Virginia 22314-2818

+1-703-519-6200

http://www.asisonline.org/

www.cisecurity.org

Cisecurity is a useful source of security information, checklists, and tools for Unix and Windows.

Computer Security Institute (CSI)

The Computer Security Institute was established in 1974 as a multiservice organization dedicated to helping its members safeguard their electronic data processing resources. CSI sponsors workshops and conferences on security, publishes a research journal and a newsletter devoted to computer security, and serves as a clearinghouse for security information. The Institute offers many other services to members and the community on a for-profit basis. Of particular use is an annual Computer Security Buyer’s Guide that lists sources of software, literature, and security consulting. You may contact CSI at http://www.gocsi.com or:

Computer Security Institute

600 Harrison Street

San Francisco, CA 94107

+1-415-947-6320

Electronic Frontier Foundation (EFF)

EFF advocates and litigates on issues related to civil liberties and freedom on the Internet. Although its concerns are considerably broader than security, EFF maintains an interesting archive of privacy- and security-related documents at http://www.eff.org/ Privacy. EFF can be contacted through that web site, or:

Electronic Frontier Foundation

454 Shotwell Street

San Francisco, CA 94110-1914

+1-415-436-9333

Electronic Privacy Information Center (EPIC)

EPIC is a public interest research center that studies electronic privacy issues. EPIC litigates and advocates for privacy and civil liberties. EPIC’s web site is http://www.epic.org, or it can be contacted at:

1718 Connecticut Avenue, NW, Suite 200

Washington, DC 20009

+1-202-483-1140

Email: info@epic.org

High Technology Crimes Investigation Association (HTCIA)

The HTCIA is a professional organization for individuals involved with the investigation and prosecution of hightechnology crime, including computer crime. There are chapters throughout the U.S., and in many other countries. Information is available via the WWW page or through regular mail or phone:

http://htcia.org

HTCIA, Inc.

1474 Freeman Dr.

Amissville, VA 20106

+1 540-937-5019

Information Systems Security Association (ISSA)

The ISSA is an international organization of information security professionals and practitioners. It provides education forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members. They publish a magazine and sponsor conferences and workshops. Chapters are present throughout the U.S. and around the world.

For more information about ISSA, contact:

ISSA Headquarters

7044 S. 13th Street

Oak Creek, WI 53154

+1-414-768-8000

+1-800-370-ISSA

ISSA has a WWW page at:

http://www.issa.org

Information Systems Audit and Control Association (ISACA)

The ISACA is an international organization of information security management, audit and consulting professionals and practitioners. It provides education forums, publications, professional certification and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members. They publish a magazine and sponsor research, conferences and workshops. Chapters are present throughout the U.S. and around the world.

For more information about ISSA, contact:

ISACA Headquarters

3701 Algonquin Road, Suite 1010

Rolling Meadows, Illinois 60008, USA

+1-847-253-1545

+1-847-253-1443

ISACA has a WWW page at:

http://www.isaca.org

International Information Systems Security Certification Consortium, Inc.

The (ISC)2 is an international organization that supervises the CISSP and SSCP professional certifications. The Certified Information Systems Security Professional and Systems Security Certified Practitioner designations are widely accepted as standard levels of certification of those working in security. The organization requires certificants to subscribe to a professional code of conduct and to undergo continuing education after passing the initial tests.

More information can be found on the WWW site or via mail.

http://www.isc2.org

(ISC)2 Services

P.O. Box 1117

Dunedin, FL 34697 USA

+1.888.333.4458

(ISC)2 Europe Operations

Nestor House

London UK EC4V 5EX

+ 44 (0) 20 7779 8030

(ISC)2 Asia Operations

17/F., Printing House

Central Hong Kong

+852 2111 6612

The Internet Society

The Internet Society sponsors many activities and events related to the Internet, including an annual symposium on network security. For more information, contact the Internet Society:

http://www.isoc.org

You may also contact the Society’s US or European headquarters:

1775 Wiehle Ave., Suite 102

Reston, VA 20190-5108

+1-703-326-9880

4, rue des Falaises

CH-1205 Geneva

Switzerland

+41-22-807-1444

Email: info@isoc.org

IEEE Computer Society

With nearly 100,000 members, the Computer Society is the largest member society of the Institute of Electrical and Electronics Engineers (IEEE). It too is involved with scholarly publications, conferences and workshops, professional education, technical standards, and other activities designed to promote the theory and practice of computer science and engineering. The IEEE–CS also has special interest groups, including a Technical Committee on Security and Privacy, a Technical Committee on Operating Systems, and a Technical Committee on Software Engineering. More information on the Computer Society may be obtained from:

IEEE Computer Society

1730 Massachusetts Avenue N.W.

Washington, DC 20036-1992

+1-202-371-0101

The Computer Society has a set of WWW pages starting at:

http://www.computer.org

The Computer Society’s Technical Committee on Security and Privacy has a number of resources, including an online newsletter:

http://www.ieee-security.org/

IFIP Technical Committee 11

The International Federation for Information Processing, Technical Committee 11, is devoted to research, education, and communication about information systems security. The working groups of the committee sponsor various activities, including conferences, throughout the world. More information may be obtained from:

http://www.ifip.org

(Follow the links for security or for TC 11.)

Systems Administration and Network Security (SANS)

SANS conducts workshops and conferences around the U.S. to provide continuing education in various aspects of system administration and security. This includes training in intrusion detection, firewalls, and general security. The organization also provides various on-line newsletters and alerts, plus some self-paced instruction. More information can be found on their WWW site.

http://www.sans.org

USENIX/SAGE

The USENIX Association is a nonprofit education organization for users of UNIX and UNIX-like systems. The Association publishes a magazine, sponsors numerous conferences, and has representatives on international standards bodies. The Association sponsors an annual workshop on UNIX security and another on systems administration, plus many conferences with security-related information.

SAGE stands for the Systems Administrators Guild. It is a special technical group of the USENIX Association. To join SAGE, you must also be a member of USENIX. Information on USENIX and SAGE can be obtained from:

USENIX Association

2560 Ninth Street

Suite 215

Berkeley, CA 94710

+1-510-528-8649

office@usenix.org

The USENIX WWW page is at:

http://www.usenix.org

U. S. Government Organizations

National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (formerly the National Bureau of Standards) has been charged with the development of computer security standards and evaluation methods for applications not involving the Department of Defense (DoD). Its efforts include research as well as developing standards. More information on NIST’s activities can be obtained by contacting:

NIST Computer Security Division

100 Bureau Drive

Mail Stop 8930

Gaithersburg, MD 20899-8930

+1-301- 975-2934

http://www.nist.gov

NIST operates the Computer Security Resource Center:

http://csrc.nist.gov/

National Security Agency (NSA)

The NSA maintains lists of evaluated and certified products, as well as technical information about security, especially cryptography. Linux users may be interested in the NSA Secure Linux program, a set of kernel patches that enhances Linux security. NSA also operates the National Cryptologic Museum in Maryland, and has an online museum of cryptology. The NSA web site is http://www.nsa.gov.

Also available from the site are a number of helpful configuration guides for common operating systems and routers. These guides provide helpful tips on changing default configurations to support better security and control.

Emergency Response Organizations

The Department of Justice, FBI, and U.S. Secret Service organizations listed below investigate violations of the federal laws related to fraud, theft, and the misuse of computer resources. The various response teams that comprise the Forum of Incident and Response Security Teams (FIRST) do not investigate computer crimes per se, but provide assistance when security incidents occur; they also provide research, information, and support that can often help those incidents from occurring or spreading.

Note that Federal agencies often have field (local) offices where you can get more personal contact, although not all field offices are staffed by personnel with the same level of training as those at headquarters offices. You can check your phone directory for local numbers: look under “US Government.”

Department of Justice (DOJ)

10th & Constitution Ave., NW

Criminal Division, (Computer Crime & Intellectual Property Section)

John C. Keeney Building, Suite 600

Washington, DC 20530

+1-202-514-1026

http://www.cybercrime.gov

Federal Bureau of Investigation (FBI)

In addition to the NIPC, the FBI also runs the Infraguard — a set of regional cooperative efforts uniting the FBI and local businesses to protect against computer crime. The Infraguard links may be found on the NIPC WWW pages.

National Infrastructure Protection Center

J. Edgar Hoover Building

935 Pennsylvania Avenue, NW

Washington, D.C. 20535-0001

+1-202-323-3205

http://www.nipc.gov

U.S. Secret Service (USSS)

Financial Crimes Division

Electronic Crime Branch

U.S. Secret Service

Washington, DC 20223

Voice: +1-202-435-7700

http://www.ustreas.gov/usss/financial_crimes.shtml

Forum of Incident and Response Security Teams (FIRST)

The Forum of Incident and Response Security Teams (FIRST) was established in March 1993. FIRST is a coalition that brings together a variety of computer security incident-response teams from the public and private sectors, as well as from universities. FIRST’s constituents comprise many response teams throughout the world. FIRST’s goals are to:

• Boost cooperation among information technology users in the effective prevention of, detection of, and recovery from computer security incidents

• Provide a means to alert and advise clients on potential threats and emerging incident situations

• Support and promote the actions and activities of participating incident response teams, including research and operational activities

• Simplify and encourage the sharing of security-related information, tools, and techniques

FIRST sponsors an annual workshop on incident response that includes tutorials and presentations by members of response teams and law enforcement.

FIRST incorporated in mid-1995 as a nonprofit entity, and migrated FIRST Secretariat duties away from NIST.

The Secretariat can be reached at:

FIRST Secretariat

First.Org, Inc.

PMB 349

650 Castro Street, Suite 120

Mountain View, CA 94041

Email: first-sec@first.org

http://www.first.org/

FIRST consists of a large number of member organizations. Check online for the most up-to-date list of members. If you have a security problem or need assistance, first attempt to determine which of these organizations most clearly covers your operations and needs. If you are unable to determine which (if any) FIRST group to approach, call any of them for a referral to the most appropriate team.

Most of these response teams have a PGP key with which they sign their advisories or enable constituents to report problems in confidence:

http://www.first.org/rep-info/

Most teams have arrangements to monitor their phones 24 hours a day, 7 days a week.

Computer Emergency Response Team Coordination Center (CERT/CC)

One particularly notable FIRST team is the CERTÆ Coordination Center, which serves all Internet sites. CERT grew from the computer emergency response team formed by the Advanced Research Projects Agency (ARPA) in November 1988 (in the wake of the Internet Worm and similar incidents). The CERT/CC charter is to work with the Internet community to facilitate its response to computer security events involving Internet hosts, to take proactive steps to raise the community’s awareness of computer security issues, and to conduct research into improving the security of existing systems. Their WWW archive (http://www.cert.org) contains an extensive collection of alerts about past (and current) security problems. Contact CERT at:

CERT Coordination Center

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890

+1-412-268-7090 (24 hour hotline)

Email: cert@cert.org